United Airlines is starting a bug bounty program aimed at finding flaws and errors in its web portals – but the rewards it's offering aren't payable in money, but in air miles.
"At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure," the company said.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."
Rewards are payable on a sliding scale. Find a cross-site scripting flaw and the airline will dole out 50,000 air miles. A more serious authentication bypass flaw or a method for carrying out a denial-of-service attack could earn you 250,000 miles. The top prize, with a million-mile payout, will be awarded for problems that would allow remote code execution on United's online properties.
There are, of course, some ground rules. Researchers can't attempt live attacks against the site or coerce information from their employees. They will also need to be a member of United's air miles program – although that would mean they must have flown with the airline and not have been put off by the lousy customer service, uncomfortable seats, and awful food.
United doesn't seem to understand that researchers who take part in bug bounty programs often do it to make a living, and air miles are not negotiable currency for things like rent, food, or beer. While offering air miles is good sense for United, it's hardly going to attract the best and the brightest, considering what other bounty programs are offering.
For example, in March, South Korean security researcher Jung Hoon Lee earned $255,000 in a couple of hours after cracking browsers in the CanSecWest Pwn2Own hacking contest run by Google and HP. In the same competition, security researcher Nicolas Joly scooped $90,000 in a few minutes for cracking Adobe's Flash and Reader software.
Outside of the competitive circuit, Google regularly pays out between $500 and $30,000 for bugs, while Facebook has paid over $3m to flaw finders in its programs. Even Microsoft, who held out against paying for security work for many years, has now handed out hundreds of thousands of dollars to those who find flaws in its code.
When you match that against United's offering, it seems likely that researchers will follow the money and eschew the airline's offer. Then again, if you're desperate for a holiday and have a masochistic bent, United might have the bug bounty program for you. ®